.internal, .corp, private IP addresses) without depending on an external provider. Certificates are trusted by any machine that has your root CA installed in its trust store.
Create a root CA
- Go to Admin → Certificate Authorities → New
- Select type Internal — Root
- Fill in:
- Save — CertForge generates the key pair and self-signed certificate. The private key is encrypted at rest.
Download the root certificate
After creating the CA, download the root certificate PEM from Admin → Certificate Authorities → [CA] → Download Root. Distribute this file to all machines that should trust certificates issued by your CA.Install root on Linux (system-wide)
Install root on Windows
Install root on macOS
Create an intermediate CA (optional)
Using an intermediate keeps your root CA private — if the intermediate is ever compromised, you revoke just the intermediate without touching the root.- Go to Admin → Certificate Authorities → New
- Select type Internal — Intermediate
- Choose the parent root CA
- Fill in name, CN, validity, key type
- Save — CertForge signs the intermediate with the root automatically
Create a Domain Trust Profile
- Go to Admin → Domain Trust Profiles → New
- Set:
- Domains:
*.internal.corp.com(or your internal domain pattern) - CA: select your root or intermediate CA
- Require approval: choose based on your policy
- Domains:
- Save
Issue your first internal certificate
Via dashboard
- Go to Certificates → Enroll New
- Fill in name and domains
- Submit — the request enters the approval queue (or is issued immediately if approval is off)
- Download the certificate from Certificates → [entry] → Download